CodeQL documentation
CodeQL resources

CodeQL 2.19.0 (2024-09-18)

This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the code scanning section on the GitHub blog, relevant GitHub Changelog updates, changes in the CodeQL extension for Visual Studio Code, and the CodeQL Action changelog.

Security Coverage

CodeQL 2.19.0 runs a total of 426 security queries when configured with the Default suite (covering 164 CWE). The Extended suite enables an additional 128 queries (covering 34 more CWE). 1 security query has been added with this release.

CodeQL CLI

Improvements

  • codeql database analyze and codeql database interpret-results now support the --sarif-run-property option. You can provide this option when using a SARIF output format to add a key-value pair to the property bag of the run object.

Miscellaneous

  • The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.4.

Query Packs

Major Analysis Improvements

JavaScript/TypeScript

  • Added a new query (js/actions/actions-artifact-leak) to detect GitHub Actions artifacts that may leak the GITHUB_TOKEN token.

Minor Analysis Improvements

C/C++

  • Removed false positives caused by buffer accesses in unreachable code
  • Removed false positives caused by inconsistent type checking
  • Add modeling of C functions that don’t throw, thereby increasing the precision of the cpp/incorrect-allocation-error-handling (“Incorrect allocation-error handling”) query. The query now produces additional true positives.

Python

  • The py/clear-text-logging-sensitive-data and py/clear-text-storage-sensitive-data queries have been updated to exclude the certificate classification of sensitive sources, which often do not contain sensitive data.

Language Libraries

Bug Fixes

Golang

  • Golang vendor directories not at the root of a repository are now correctly excluded from the baseline Go file count. This means code coverage information will be more accurate.

Breaking Changes

C/C++

  • Deleted many deprecated taint-tracking configurations based on TaintTracking::Configuration.
  • Deleted many deprecated dataflow configurations based on DataFlow::Configuration.
  • Deleted the deprecated hasQualifiedName and isDefined predicates from the Declaration class, use hasGlobalName and hasDefinition respectively instead.
  • Deleted the getFullSignature predicate from the Function class, use getIdentityString(Declaration) from semmle.code.cpp.Print instead.
  • Deleted the deprecated freeCall predicate from Alloc.qll. Use DeallocationExpr instead.
  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.
  • Deleted the deprecated getFieldExpr predicate from ClassAggregateLiteral, use getAFieldExpr instead.
  • Deleted the deprecated getElementExpr predicate from ArrayOrVectorAggregateLiteral, use getAnElementExpr instead.

C#

  • Deleted many deprecated taint-tracking configurations based on TaintTracking::Configuration.
  • Deleted many deprecated dataflow configurations based on DataFlow::Configuration.
  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.

Golang

  • Deleted many deprecated taint-tracking configurations based on TaintTracking::Configuration.
  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.

Java/Kotlin

  • Deleted the deprecated ProcessBuilderConstructor, MethodProcessBuilderCommand, and MethodRuntimeExec from JDK.qll.
  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.
  • Deleted many deprecated taint-tracking configurations based on TaintTracking::Configuration.
  • Deleted the deprecated getURI predicate from CamelJavaDslToDecl and SpringCamelXmlToElement, use getUri instead.
  • Deleted the deprecated ExecCallable class from ExternalProcess.qll.
  • Deleted many deprecated dataflow configurations based on DataFlow::Configuration.
  • Deleted the deprecated PathCreation.qll file.
  • Deleted the deprecated WebviewDubuggingEnabledQuery.qll file.

JavaScript/TypeScript

  • Deleted the deprecated isHTMLElement and getDOMName predicates from the JSX library, use isHtmlElement and getDomName respectively instead.
  • Deleted the deprecated getPackageJSON predicate from the SourceMappingComment class, use SourceMappingComment instead.
  • Deleted many deprecated directives from the Stmt.qll file, use the Directive:: module instead.
  • Deleted the deprecated YAMLNode, YAMLValue, and YAMLScalar classes from the YAML libraries, use YamlNode, YamlValue, and YamlScalar respectively instead.
  • Deleted the deprecated getARouteHandlerExpr predicate from Connect.qll, use getARouteHandlerNode instead.
  • Deleted the deprecated getGWTVersion predicate from GWT.qll, use getGwtVersion instead.
  • Deleted the deprecated getOwnOptionsObject predicate from Vue.qll, use getOwnOptions().getASink() instead.

Python

  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.
  • Deleted the deprecated semmle.python.RegexTreeView module, use semmle.python.regexp.RegexTreeView instead.
  • Deleted the deprecated RegexString class from regex.qll.
  • Deleted the deprecated Regex class, use RegExp instead.
  • Deleted the deprecated semmle/python/security/SQL.qll file.
  • Deleted the deprecated useSSL predicates from the LDAP libraries, use useSsl instead.

Ruby

  • Deleted the deprecated getURL predicate the Http::Request class, use getAUrlPart instead.
  • Deleted the deprecated getNode predicate from the CfgNode class, use getAstNode instead.
  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.
  • Deleted many deprecated dataflow configurations based on DataFlow::Configuration.
  • Deleted many deprecated taint-tracking configurations based on TaintTracking::Configuration.

Swift

  • Deleted the deprecated explorationLimit predicate from DataFlow::Configuration, use FlowExploration<explorationLimit> instead.
  • Deleted the deprecated getDerivedTypeDecl predicate from the TypeDecl class, use getADerivedTypeDecl or getABaseTypeDecl instead.

Major Analysis Improvements

Java/Kotlin

  • A generated (Models as Data) summary model is no longer used, if there exists a source code alternative. This primarily affects the analysis, when the analysis includes generated models for the source code being analysed.

JavaScript/TypeScript

  • Added support for TypeScript 5.6.

Minor Analysis Improvements

C/C++

  • Added a data flow model for swap member functions, which were previously modeled as taint tracking functions. This change improves the precision of queries where flow through swap member functions might affect the results.
  • Added a data flow model for realloc-like functions, which were previously modeled as a taint tracking functions. This change improves the precision of queries where flow through realloc-like functions might affect the results.

C#

  • Parameters of public methods in abstract controller-like classes are now considered remote flow sources.
  • The reported location of partial methods has been changed from the definition to the implementation part.

Golang

  • When a function or type has more than one anonymous type parameters, they were mistakenly being treated as the same type parameter. This has now been fixed.
  • Local source models for reading and parsing environment variables have been added for the following libraries:
    • os
    • syscall
    • github.com/caarlos0/env
    • github.com/gobuffalo/envy
    • github.com/hashicorp/go-envparse
    • github.com/joho/godotenv
    • github.com/kelseyhightower/envconfig
  • Local source models have been added for the APIs which open files in the io/fs, io/ioutil and os packages in the Go standard library. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.

New Features

C/C++

  • Added a class C11GenericExpr to represent C11 generic selection expressions. The generic selection is represented as a Conversion on the expression that will be selected.
  • Added subclasses of BuiltInOperations for the __is_scoped_enum, __is_trivially_equality_comparable, and __is_trivially_relocatable builtin operations.
  • Added a subclass of Expr for __datasizeof expressions.
  • © GitHub, Inc.
  • Terms
  • Privacy